I ran a recent scan and INI:shortcut-inf trj was quarantined. However, Avast keeps alerting me that it was blocked,
but won’t allow me to access a common news site that I am able to access on an unaffected tablet.
I seem to have passed this (Trojan?) to my other computers (XP, win7, win8) via my pen drive.
Researching this I came upon a site : http://guides.yoosecurity.com/how-to-remove-jsscriptsh-inf-trj-manually/
that claims it cannot be removed w/malware tools, but must be removed manually. Can this be true? Please Help.
follow instructions and attach logs (not copy and paste) http://forum.avast.com/index.php?topic=53253.0
run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR
when done, removal experts will be notified and help you
when finish, all tools used will be removed
Monitoring
Here are 4 scan reports (on my win7 PC) that you suggested. I disabled Avast
when I ran these. Extras from OTL on next attachment
OTL extras report
Re-run OTL.exe.
[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.
:OTL
IE - HKLM\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://search.speedbit.com/search.aspx?s=CCPago&q={searchTerms}
IE - HKU\S-1-5-21-3418481927-3864338745-84878739-1000\..\SearchScopes\{7F4EFF06-7032-458e-AE16-1C1D8255C28A}: "URL" = http://search.speedbit.com/search.aspx?s=CCPago&q={searchTerms}
O2 - BHO: (SpeedBit Link Verification Helper) - {D5974A72-C81C-4DC3-BE77-A8A7BBC8864E} - C:\Program Files (x86)\DAP\LinkVerifier.dll (Speedbit Ltd.)
O4 - HKLM..\Run: [] File not found
O33 - MountPoints2\{08e55dd1-4e17-11e2-a445-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{08e55dd1-4e17-11e2-a445-806e6f6e6963}\Shell\AutoRun\command - "" = F:\Bin\assetup.exe
O33 - MountPoints2\{5b6757dd-4e36-11e2-bdc0-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{5b6757dd-4e36-11e2-bdc0-806e6f6e6963}\Shell\AutoRun\command - "" = D:\setup\rsrc\Autorun.exe
O33 - MountPoints2\{5b6757dd-4e36-11e2-bdc0-806e6f6e6963}\Shell\dinstall\command - "" = D:\Directx\dxsetup.exe
:commands
[CREATERESTOREPOINT]
[emptytemp]
[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.
If the log doesn’t appear, it can be found here:
c:_OTL\MovedFiles\mmddyyyy_hhmmss.log
.
************ Next *************
Please download Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.
[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
.
******** Next ********
Check USB storage devices / removable drives
Download MCShield from one of the following links:
MyCity - Official download link
Softpedija - Mirror download link
[*] Double click MCShield-Setup to install the application.
[*] Wait a few seconds to MCShield finish initial scan.
Recommendation to under General and Scanner tab you click on Defaults button to choose recommended options.
[*] Connect your USB storage devices to the computer one at a time. Scanning will be done automatically.
When all scanning is done, you need to attach a logreport that MCShield has created.
Start → All Programs → MCShield → Logs
Attach here → AllScans.txt
Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.
Hello Argus. Here are the scan reports.
Very clear directions from everyone. Thank you.
Hope this works
1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Start
AlternateDataStreams: C:\ProgramData\TEMP:56E2E879
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\36866716.sys => ""="Driver"
HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\36866716.sys => ""="Driver"
CHR Extension: (Chrome In-App Payments service) - C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\0.0.4.11_0
C:\Users\John\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda
CHR HKLM-x32\...\Chrome\Extension: [bodfdknjhecmadheclfjkhhiofeagdbh] - C:\Program Files (x86)\DAP\daplinkchecker.crx
CHR HKLM-x32\...\Chrome\Extension: [ffdcfjdljhbehggjdkdioajnknjcpbjb] - C:\Program Files (x86)\DAP\DAPChrome\DAPChrome6.cr
C:\Program Files (x86)\DAP
Folder: C:\Users\John\AppData\Roaming\vlc
END
2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.
I ran as suggested. I did not check “list BCD” or “drivers” boxes as you did not ask to do so this time.
You’ve run TDSSKiller, please attach a log file.
TDSS Report
How’s your computer behaving now?
Avast still tells me that a threat has been detected URL:Mal
[*] Please download ComboFix and save it to your Desktop.
You may read how Combofix works here.
[*] Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
If you are unsure how to do this please read this or this Instruction.
[*] Run ComboFix. Click on I Agree! & follow the prompts.
Note: If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
[*] When finished, it will produce a report for you. Please attach log reports (ComboFix.txt) back to topic.
(typical log location: C:\ComboFix.txt )
combofix report
Looks clean, apparently FP.
It is necessary to uninstall ComboFix :
[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.
On Windows7 or Vista you may use Start Search field if Run is not available.
[*] In the line of text type in (Copy) the following:
ComboFix /Uninstall
Note that there is a space between " ComboFix " and " /Uninstall " .
[*] then click OK (or press Enter ).
Wait for the uninstall process is complete.
Thanks Argus. Any idea why avast still blocks entry to my news website if this is a FP?
My other PC’s are also affected, possibly by transferring data on my pen drive.
I’d hate to have a trojan accessing sensitive data
Should I report as FP when the Avast alert pops up?